Vous êtes sur la page 1sur 11
HPE Security ArcSight Connectors SmartConnector for Symantec Messaging Gateway Syslog Configuration Guide November 30, 2016

HPE Security ArcSight Connectors

SmartConnector for Symantec Messaging Gateway Syslog

Configuration Guide

November 30, 2016

Configuration Guide

SmartConnector for Symantec Messaging Gateway Syslog

November 30, 2016

Copyright © 2006 – 2016 Hewlett Packard Enterprise Development LP


The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise Development LP shall not be liable for technical or editorial omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. Hewlett Packard Enterprise Development LP products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential.

Restricted Rights Legend

Confidential computer software. Valid license from Hewlett Packard Enterprise Development LP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Follow this link to see a complete statement of Hewlett Packard Enterprise Development LP copyrights, trademarks and acknowledgements:

Revision History




Updated installation procedure for setting preferred IP address mode.


Added support for event merging. Removed support for versions 5.0, 7.6, and 8.0 due to end of support by the vendor.


Added support for Messaging Gateway version 10.5. Added parameters for Syslog File.


Added parameter for Syslog Daemon connector configuration. Added support for Messaging Gateway version 10 event types.


Added new installation procedure.


Renamed connector from Symantec Mail Security to Symantec Messaging Gateway; added support for versions 8.0 and 9.0.

Configuration Guide

SmartConnector for Symantec Messaging Gateway Syslog

This guide provides information for installing the SmartConnector for Symantec Messaging Gateway Syslog and configuring the appliance for event collection. Device versions 9.0, 10.0, and 10.5 are supported.

Product Overview

Symantec Messaging Gateway offers enterprises a comprehensive gateway-based message-security solution. It delivers inbound and outbound messaging security, real-time antispam and antivirus protection, advanced content filtering, and data loss prevention in a single platform.


Configuring Log Settings

The operating system provides a local logging facility, via syslog, that is configured to store logs accessed through the Control Center. You can configure log settings for Symantec Messaging Gateway components on each Scanner in your system. The severity of errors you want written to the log files can be chosen for the following components:

  • Conduit

  • Filter Engine

  • Mail Transfer Agent

Five logging levels are provided. Each successive level includes all errors from previous levels. Your choices, from the least to the greatest amount of error reporting, and from the highest to the lowest severity, are as follows:

  • Errors (least logged data)

  • Warnings

  • Notices

  • Information

  • Debug (most logged data)

To configure log settings:

  • 1 In the Control Center, click Settings -> Log Settings.

  • 2 On the Log Settings page, under Logging, choose a Scanner from the Host drop-down list.

  • 3 Use the component drop-down lists to select the logging level for each component.

SmartConnector for Symantec Messaging Gateway Syslog

  • 4 Complete the items under Syslog Settings.

  • 5 For changes to apply to all scanners, check Apply to all hosts.

  • 6 To reduce the size of the log table under Log Storage Limits, check Maximum log size. As the table exceeds the size specified, the oldest entries are removed. If you check Maximum log size, indicate an upper limit for log size in KB, MB, or GB. The default is 50 MB.

  • 7 Enter a numeric value in Maximum number of days to retain. The default is 7.

  • 8 Under Log Expunger, choose a frequency and a start time when the Control Center runs the Log Expunger to delete log data. The default is once per day.

  • 9 Click Save to store your information.

Configure Event Merging

The Symantec Messaging Gateway system provides a way to track security-relevant information on the system. Based on pre-configured rules, Symantec Messaging Gateway generates log entries to record as much information as possible about the events happening on your system. These events often contains multiple sub-events that can span multiple lines. The event merging feature aggregates the related sub-events into one large event with a concatenated long message.

To enable event merging:

  • 1 Set up the Syslog Daemon connector according to the instructions in "Configure the Syslog SmartConnectors".

  • 2 Edit the syslog.subagent.parsers parameter in the agent.properties file (located in the $ARCSIGHT_HOME/current/user/agent folder) as follows: agents[0].syslog.subagent.parsers=sms7x_syslog\:merge

  • 3 Start the connector as described in "Run the SmartConnector".

Configure the Syslog SmartConnectors

The three ArcSight Syslog SmartConnectors are:

Syslog Daemon

Syslog Pipe

Syslog File

The Syslog Daemon SmartConnector

The Syslog Daemon SmartConnector is a syslogd-compatible daemon designed to work in operating systems that have no syslog daemon in their default configuration, such as Microsoft Windows. The SmartConnector for Syslog Daemon implements a UDP receiver on port 514 (configurable) by default that can be used to receive syslog events. Use of the TCP protocol or a different port can be configured manually.

Configuration Guide

If you are using the SmartConnector for Syslog Daemon, simply start the connector, either as a service or as a process, to start receiving events; no further configuration is needed.

Configuration Guide If you are using the SmartConnector for Syslog Daemon, simply start the connector, either

Messages longer than 1024 bytes may be split into multiple messages on syslog daemon; no such restriction exists on syslog file or pipe.

The Syslog Pipe and File SmartConnectors

When a syslog daemon is already in place and configured to receive syslog messages, an extra line in the syslog configuration file (rsyslog.conf) can be added to write the events to either a file or a system pipe and the ArcSight SmartConnector can be configured to read the events from it. In this scenario, the ArcSight SmartConnector runs on the same machine as the syslog daemon.

The Syslog Pipe SmartConnector is designed to work with an existing syslog daemon. This SmartConnector is especially useful when storage is a factor. In this case, syslogd is configured to write to a named pipe, and the Syslog Pipe SmartConnector reads from it to receive events.

The Syslog File SmartConnector is similar to the Pipe SmartConnector; however, this SmartConnector monitors events written to a syslog file (such as messages.log) rather than to a system pipe.

Configure the Syslog Pipe or File SmartConnector

This section provides information about how to set up your existing syslog infrastructure to send events to the ArcSight Syslog Pipe or File SmartConnector.

The standard UNIX implementation of a syslog daemon reads the configuration parameters from the /etc/rsyslog.conf file, which contains specific details about which events to write to files, write to pipes, or send to another host. First, create a pipe or a file; then modify the /etc/rsyslog.conf file to send events to it.

For syslog pipe:

  • 1 Create a pipe by executing the following command: mkfifo /var/tmp/syspipe

  • 2 Add the following line to your /etc/rsyslog.conf file: *.debug /var/tmp/syspipe or *.debug |/var/tmp/syspipe depending on your operating system.

  • 3 After you have modified the file, restart the syslog daemon either by executing the scripts /etc/init.d/syslogd stop and /etc/init.d/syslogd start, or by sending a `configuration restart` signal. On RedHat Linux, you would execute: service syslog restart

SmartConnector for Symantec Messaging Gateway Syslog

On Solaris, you would execute:

kill -HUP `cat /var/run/syslog.pid´

This command forces the syslog daemon to reload the configuration and start writing to the pipe you just created.

For syslog file:

Create a file or use the default for the file into which log messages are to be written.

After editing the /etc/rsyslog.conf file, be sure to restart the syslog daemon as described above.

When you follow the SmartConnector Installation Wizard, you will be prompted for the absolute path to the syslog file or pipe you created.

Install the SmartConnector

The following sections provide instructions for installing and configuring your selected SmartConnector.

Syslog Installation

Install this SmartConnector (on the syslog server or servers identified in the Configuration section) using the SmartConnector Installation Wizard appropriate for your operating system. The wizard will guide you through the installation process. When prompted, select one of the following Syslog connectors (see Configure the Syslog SmartConnectors in this guide for more information):

Syslog Daemon

Syslog Pipe

Syslog File

Because all syslog SmartConnectors are sub-connectors of the main syslog SmartConnector, the name of the specific syslog SmartConnector you are installing is not required during installation.

The syslog daemon connector by default listens on port 514 (configurable) for UDP syslog events; you can configure the port number or use of the TCP protocol manually. The syslog pipe and syslog file connectors read events from a system pipe or file, respectively. Select the one that best fits your syslog infrastructure setup.

Prepare to Install Connector

Before you install any SmartConnectors, make sure that the ArcSight products with which the connectors will communicate have already been installed correctly (such as ArcSight ESM or ArcSight Logger). This configuration guide takes you through the installation process with ArcSight Manager (encrypted) as the destination.

For complete product information, read the Administrator's Guide as well as the Installation and Configuration guide for your ArcSight product before installing a new SmartConnector. If you are adding a connector to the ArcSight Management Center, see the ArcSight Management Center Administrator's Guide for instructions, and start the installation procedure at "Set Global Parameters (optional)" or "Select Connector and Add Parameter Information."

Configuration Guide

Before installing the SmartConnector, be sure the following are available:

  • Local access to the machine where the SmartConnector is to be installed

  • Administrator passwords

Install Core Software

Unless specified otherwise at the beginning of this guide, this SmartConnector can be installed on all ArcSight supported platforms; for the complete list, see the SmartConnector Product and Platform Support document, available from the HPE SSO and Protect 724 sites.

  • 1 Download the SmartConnector executable for your operating system from the HPE SSO site.

  • 2 Start the SmartConnector installation and configuration wizard by running the executable.

Configuration Guide Before installing the SmartConnector, be sure the following are available:  Local access to

When installing a syslog daemon SmartConnector in a UNIX environment, run the executable as 'root' user.

Follow the wizard through the following folder selection tasks and installation of the core connector software:

Introduction Choose Install Folder Choose Shortcut Folder Pre-Installation Summary Installing ...

  • 3 When the installation of SmartConnector core component software is finished, the following window is displayed:

Configuration Guide Before installing the SmartConnector, be sure the following are available:  Local access to

SmartConnector for Symantec Messaging Gateway Syslog

Set Global Parameters (optional)

If you choose to perform any of the operations shown in the following table, do so before adding your connector. After installing core software, you can set the following parameters:

Global Parameter


Set FIPS mode

Set to 'Enable' to enable FIPS compliant mode. To enable FIPS Suite B Mode, see the SmartConnector User Guide under "Modifying Connector Parameters" for instructions. Initially, this value is set to 'Disable'.

Set Remote

Set to 'Enable' to enable remote management from ArcSight Management Center.

The remote management device will listen to the port specified in this field. The default


When queried by the remote management device, the values you specify here for

Remote management listener port

enabling remote management and the port number will be used. Initially, this value is set to 'Disable'.

port number is 9001.

Preferred IP Version

If both IPv4 and IPv6 IP addresses are available for the local host (the machine on which the connector is installed), you can choose which version is preferred. Otherwise, you will see only one selection. When both values are present, the initial

setting is IPv4.

After making your selections, click Next. A summary screen is displayed. Review the summary of your selections and click Next. Click Continue to return to the "Add a Connector" window. Continue the installation procedure with "Select Connector and Add Parameter Information."

Select Connector and Add Parameter Information

  • 1 Select Add a Connector and click Next. If applicable, you can enable FIPS mode and enable remote management later in the wizard after SmartConnector configuration.

  • 2 Select Syslog Daemon, File, or Pipe and click Next.

  • 3 Enter the required SmartConnector parameters to configure the SmartConnector, then click Next.


Network port

The SmartConnector for Syslog Daemon listens for syslog events from this port.




IP Address

The SmartConnector for Syslog Daemon listens for syslog events only from this IP address (accept the default (ALL) to bind to all available IP addresses).


The SmartConnector for Syslog Daemon uses the selected protocol (UDP or Raw TCP) to receive incoming messages. When selecting Raw TCP, connections remain idle in a CLOSE_WAIT state until closed explicitly by the application, and can eventually exceed the connector or OS limit. To find out how to correct or avoid this problem, see "Raw TCP Connection" in the Additional Configuration section.


Change this parameter to 'true' only if the events being processed are coming from another SmartConnector sending to a CEF Syslog destination, and that destination also has CEF forwarder mode enabled. That allows attributes of the original connector to be retained in the original agent fields.

Syslog Pipe


Absolute path to the pipe, or accept the default:




Path Name

Syslog File

File Absolute

Enter the full path name for the file from which this connector will read events or


Path Name

accept the default: \var\adm\messages (Solaris) or \var\log\messages (Linux).

A wildcard pattern can be used in the file name; however, in realtime mode, rotation can occur only if the file is over-written or removed from the folder.

Realtime processing mode assumes following external rotation.

Configuration Guide

For date format log rotation, the device writes to 'filename.timestamp.log' on a daily basis. At a specified time, the device creates a new daily log and begins to write to it. The connector detects the new log and terminates the reader thread to the previous log after processing is complete. The connector then creates a new reader thread to the new 'filename.timestamp.log' and begins processing that file. To enable this log rotation, use a date format in the file name as shown in the following example:


For index log rotation, the device writes to indexed files - 'filename.log.001', 'filename.log.002', 'filename.log.003', and so on. At startup, the connector processes the log with highest index. When the device creates a log with a greater index, the connector terminates the reader thread to the previous log after processing completes, creates a thread to the new log, and begins processing that log. To enable this log rotation, use an index format, as shown in the following example:


Specifying 'true' indicates that it is allowed for the index to be skipped; for example, if 5 appears before 4, processing proceeds with 5 and will not read 4, even if 4 appears later. Use of 'true' is optional.


Specify whether file is to be read in batch or realtime mode. For batch mode, all

Events Real

files are read from the beginning. The 'Action Upon Reaching EOF' and 'File

Time or

Extension if Rename Action' parameters apply for batch mode only.


Action Upon

For batch mode, specify 'None', 'Rename', or 'Delete' as the action to be

For batch mode, specify the extension to be added to the file name if the action


performed to the file when the connector has finished reading and reaches end of


file (EOF). For realtime mode, leave the default value of 'None' for this



Extension If

upon EOF is 'Rename' or accept the default value of '.processed'.



Select a Destination

  • 1 The next window asks for the destination type; make sure ArcSight Manager (encrypted) is selected and click Next. (For information about this destination or any of the other destinations listed, see the ArcSight SmartConnector User Guide.)

  • 2 Enter values for the Manager Host Name, Manager Port, User and Password required parameters. This is the same ArcSight user name and password you created during the ArcSight Manager installation. Click Next.

  • 3 Enter a name for the SmartConnector and provide other information identifying the connector's use in your environment. Click Next. The connector starts the registration process.

  • 4 The certificate import window for the ArcSight Manager is displayed. Select Import the certificate to the connector from destination and click Next. (If you select Do not import the certificate to connector from destination, the connector installation will end.) The certificate is imported and the Add connector Summary window is displayed.

Complete Installation and Configuration

  • 1 Review the Add Connector Summary and click Next. If the summary is incorrect, click Previous to make changes.

SmartConnector for Symantec Messaging Gateway Syslog

  • 2 The wizard now prompts you to choose whether you want to run the SmartConnector as a stand- alone process or as a service. If you choose to run the connector as a stand-alone process, select Leave as a standalone application, click Next, and continue with step 5.

  • 3 If you chose to run the connector as a service, with Install as a service selected, click Next. The wizard prompts you to define service parameters. Enter values for Service Internal Name and Service Display Name and select Yes or No for Start the service automatically. The Install Service Summary window is displayed when you click Next.

  • 4 Click Next on the summary window.

  • 5 To complete the installation, choose Exit and Click Next.

For some SmartConnectors, a system restart is required before the configuration settings you made take effect. If a System Restart window is displayed, read the information and initiate the system restart operation.

SmartConnector for Symantec Messaging Gateway Syslog 2 The wizard now prompts you to choose whether you

Save any work on your computer or desktop and shut down any other running applications (including the

ArcSight Console, if it is running), then shut down the system.

For instructions about upgrading the connector or modifying parameters, see the SmartConnector User Guide.

Raw TCP Connection

When selecting Syslog Daemon, with Raw TCP, connections remain idle in a CLOSE_WAIT state until closed explicitly by the application. Idle connections can grow over a period of time and can exceed the connector limit or the OS limit. By default the agents[0].tcppeerclosedchecktimeout=-1 property in agent.properties keeps all TCP sessions open, which causes the connectors to crash after too many sessions or files are open.

This can be corrected in the default configuration by allowing adequate time for closing TCP sockets by changing tcppeerclosedchecktimeout=-1 to tcppeerclosedchecktimeout=30000 (msec) or

greater. Once the parameter is set to 30000 msec, the sessions start to close after the client has closed its connection. In addition, the agents[0].tcpmaxsockets=1000 parameter can be increased as

required to accommodate simultaneous connections from a large number of devices.

Run the SmartConnector

SmartConnectors can be installed and run in stand-alone mode, on Windows platforms as a Windows service, or on UNIX platforms as a UNIX daemon, depending upon the platform supported. On Windows platforms, SmartConnectors also can be run using shortcuts and optional Start menu entries.

If the connector is installed in stand-alone mode, it must be started manually and is not automatically active when a host is restarted. If installed as a service or daemon, the connector runs automatically when the host is restarted. For information about connectors running as services or daemons, see the ArcSight SmartConnector User Guide.

To run all SmartConnectors installed in stand-alone mode on a particular host, open a command window, go to $ARCSIGHT_HOME\current\bin and run: arcsight connectors

Configuration Guide

To view the SmartConnector log, read the file $ARCSIGHT_HOME\current\logs\agent.log; to stop all SmartConnectors, enter Ctrl+C in the command window.

Device Event Mapping to ArcSight Fields

The following section lists the mappings of ArcSight data fields to the device's specific event definitions. See the ArcSight Console User's Guide for more information about the ArcSight data fields.

Symantec Messaging Gateway Event Mappings to ArcSight ESM Fields

ArcSight ESM Field

Device-Specific Field

Agent (Connector) Severity

Very High when Device Severity = emerg or alert; High when Device Severity = crit or err; Medium when Device Severity = warning or notice; Low when Device Severity = info; Very Low when Device Severity = debug

Device Custom String 2 Device Custom String 3 Device Direction Device Event Class ID Device Facility Device Process Name Device Product Device Severity Device Vendor External ID Message

pid (Process ID) Externalid (Full External ID) direction info _SYSLOG_FACILITY procname 'Messaging Gateway' _SYSLOG_PRIORITY 'Symantec' externalId (40 characters)

One of (Msg,(mergedevent.message,"|",msg))